Hacking Humans: 4 Real-World Social Engineering Attacks

Story 1: Kevin Mitnick and Motorola

• In 1992, the famous hacker Kevin Mitnick was on the run from law enforcement due to his many hacking actions. He wanted a secure way to communicate with friends without being listened to.

• Kevin targeted Motorola's latest MicroTek Antralight portable phone. He believed getting the internal component would allow him to modify the communication agreement.

• Instead of using technical entry, Kevin used social engineering. He called Motorola pretending to be an employee and learned about a research branch in Arlington.

• He created a new identity as a member of the Arlington branch and contacted the vice president. He got the direct branch number of project manager Pam.

• Pam was on vacation, so Kevin called her colleague Alyssa. He lied that Pam promised to send him the original code and asked Alyssa to do it.

• Alyssa agreed and even got the security manager to help. Kevin quickly obtained all the original codes in just 20 minutes.

• Kevin took the original code and left. Motorola didn't notice the leak until years later when Kevin was arrested by the FBI.

• This attack showed the power of social engineering as Kevin didn't use any network loopholes or malicious codes.

Story 2: Twitter Account Termination

• On July 15, 2020, Twitter had a major security incident. Multiple heavyweight users suddenly published fraudulent information about doubling Bitcoin.

• The hackers didn't break through the Twitter server directly. They targeted Twitter employees' networks.

• During the COVID-19 pandemic, many Twitter employees worked remotely. This was an opportunity for social engineering attacks.

• A group of young hackers, including 17-year-old Graham Clark, aimed to obtain Twitter managers' accounts.

• They collected information about Twitter employees with internal management rights from LinkedIn and paid data services.

• They pretended to be IT supporters and called the employees. They said there were office system or VPN problems and needed the employees to assist with verification.

• The hackers led the employees to a fake internal website that looked like the real VPN login page. The employees entered their usernames and passwords.

• The hackers then asked for the six-digit verification code. The employees gave it to them, and the hackers bypassed the double verification.

• The hackers used the employees' accounts to find sensitive information in the company's Slack chat channel. They opened the backstage management panel of Twitter.

• They reset the registered emails of target celebrities' accounts and sent fraudulent tweets. Hundreds of people were fooled, and about 12.3 bitcoins were stolen.

• Twitter noticed the abnormality and froze the posts of all suspected users. The law enforcement agency arrested three criminal suspects a few days later.

• Trump's account wasn't hacked because it had additional protection measures.

Story 3: Target Data Leak

• In 2013, during the summer shopping season, Target suffered a major data leak. The hacker stole more than 40 million credit card information and up to 70 million customer personal information.

• The attacker didn't target Target's network directly. They chose Target's small air conditioner-cooled merchant, Physio Mechanical Services, as a breakthrough.

• Target provided a network to the merchant for business needs, but the merchant's network security was weak.

• Between September and October 2013, the employees of Pfizer received some seemingly normal emails. One of the emails carried a hidden malicious PDF file.

• When the file was opened, a password program was installed on the computer. The program recorded the keyboard operation and input.

• The attacker successfully installed the eye line in the Faisal system. A few weeks later, they collected the account ID of the target company network.

• The attacker used the stolen account to log into Target's internal network. They entered the supplier-connected partner store and moved horizontally within the enterprise.

• The attacker investigated the network section of the Target Pulse D system and obtained the full line of deployed software. They uploaded a memory capture code to the receiver of several Target doors.

• The attacker conducted a small-scale test on the eve of the high tide of shopping. The test results were normal, so they large-scale pushed the code to all Target stores in the United States.

• During the holiday shopping season, the information on the bank card was instantly filled out. The attacker stole about 40 million pieces of information on the bank card.

• About 70 million registered customers' personal information was also leaked. The attacker designed a distribution data collection program to transfer the data without being noticed.

• In mid-December, the U.S. judicial department and the banking community noticed the fraudulent transactions. Target publicly admitted the data leak.

• This was one of the largest security incidents in the US retail industry at the time.

Story 4: Fake Safety Inspector Infiltrates Government Institutions

• In 2022, a government institution, assumed to be an X-ray evidence service center, had a strange internal network invasion incident.

• The institution managed private personal information and sensitive evidence data. The physical security seemed strict, but the attacker still infiltrated the internal system.

• The attacker had a thorough investigation and preparation. They learned from the official website and public materials that the center would carry out routine security checks with the fire department every June.

• They also obtained the information of the cleaning service contractor and the security process of the building. They devised a disguise plan and played a fire safety inspector.

• One day in the morning, the attacker came to the front desk of the office. He showed his identity and forged documents. The front desk security checked the documents and let him in.

• The attacker pretended to check the fire extinguisher and security exits. He kept paying attention to the layout of the surrounding office and the movement of the staff.

• When he walked to the door of the IT machine room, he said he needed to check the smoke sensor device. The staff used their own card to open the door.

• The attacker quickly looked around and locked a computer with no one in it. He logged into the manager's account and inserted a pre-prepared USB drive into the computer.

• The script in the USB drive created a hidden system administrator account and opened a remote control back door. The attacker pulled out the USB drive and continued to check other devices.

• After the machine room inspection, the attacker continued to check several floors. He went to the washroom and took the opportunity to leave alone for a few minutes.

• He inserted a mini wireless penetration device into the network terminal. This device could transmit internal network traffic to the outside through 4G networks.

• A few minutes later, he returned to the front desk and announced that the inspection was complete. He left with a signature check report.

• After returning to his base, he was able to access the internal network and server of X-Center through the backdoor account and network equipment.

• He avoided monitoring and repeatedly logged into the internal system, gradually extracting a large number of sensitive data.

• A few weeks later, the incident of the relevant data being leaked on the dark web happened. The X government was shocked, but the attacker had already disappeared.

Conclusion

• Through these social engineering attacks, we can see how the attacker cleverly combines psychological control, live acting, and technical means to successfully break through those goals that seem difficult to approach.

• People are the weakest link in the security chain. No matter how advanced the system and firewall are, they can't stop the employee from opening the door to hackers. This loophole is sometimes more fatal than technical weakness.